Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-08-ARBITRUM-FINDINGS-ISSUES-146
HistoryAug 10, 2023 - 12:00 a.m.

Anyone can call the perform function because there is no access control

2023-08-1000:00:00
Code4rena
github.com
2
perform function
access control
unauthorized changes
security council
openzeppelin
mitigation
access control contract
JSON

Lines of code #L31-#L75

Vulnerability details

Impact

Anyone can call the perform function. It can lead to unauthorized changes in the security council.

Proof of Concept

There is no access control in the perform function and it is marked β€œexternal”.

function perform(address _securityCouncil, address[] memory _updatedMembers, uint256 _nonce)
external
returns (bool res)
{

Anyone can call the perform function and update members of the security council.

Tools Used

Manual review

Recommended Mitigation Steps

Use an access control contract such as OpenZeppelin’s AccessControl.

Assessed type

Access Control

The text was updated successfully, but these errors were encountered:

All reactions

JSON